π¨ Runner-Guard Security Finding
Rule: RGS-012 β Secret Exfiltration via Outbound HTTP Request
Severity: High
File: .github/workflows/daily-model-inventory.md (and 3 others)
Lines: 986, 1049, 1114, 1178 (daily-model-inventory); 458 (docs-noob-tester); additional occurrences in unbloat-docs, visual-regression-checker
Description
run: blocks contain outbound HTTP request commands (curl, wget, etc.) targeting non-GitHub domains in job contexts that have access to secrets or publishing capabilities.
This pattern is a strong indicator of credential exfiltration β the primary objective of most GitHub Actions supply-chain attacks. Attackers who achieve code execution in a CI runner (via expression injection, fork checkout, compromised action, etc.) need a way to exfiltrate stolen secrets to infrastructure they control.
Impact
The combination of external HTTP requests with secrets access is a high-confidence indicator of either:
- Active exploitation: secrets being actively exfiltrated to attacker infrastructure
- Dangerous pattern: legitimate external API calls that could be leveraged if the workflow is compromised via another vector (expression injection, malicious PR, etc.)
Exposed secrets may include: CODEX_API_KEY, GH_AW_GITHUB_TOKEN, OPENAI_API_KEY, GITHUB_TOKEN
Affected Workflows (4)
| Workflow |
Occurrences |
daily-model-inventory |
4 (lines 986, 1049, 1114, 1178) |
docs-noob-tester |
1 (line 458) |
unbloat-docs |
1 |
visual-regression-checker |
2 |
Remediation
- Audit each outbound HTTP call: Verify the target domain is expected and legitimate (e.g.,
api.openai.com, api.anthropic.com)
- Ensure no secrets are passed as URL parameters: Use request headers instead, and never log request details
- Apply network isolation: Use the gh-aw firewall to whitelist only required external domains
- Audit workflow triggers: If these workflows run on
pull_request_target or issue_comment, restrict them to trusted authors
- Consider secret rotation: If any of these workflows have been recently triggered by untrusted PRs or comments, rotate any accessed secrets
# Safer pattern: use the gh-aw firewall to allowlist domains
# In workflow configuration:
firewall:
allowed_domains:
- api.openai.com
- api.anthropic.com
Detected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25303186183
Generated by Static Analysis Report Β· β 356.4K Β· β·
π¨ Runner-Guard Security Finding
Rule: RGS-012 β Secret Exfiltration via Outbound HTTP Request
Severity: High
File:
.github/workflows/daily-model-inventory.md(and 3 others)Lines: 986, 1049, 1114, 1178 (daily-model-inventory); 458 (docs-noob-tester); additional occurrences in unbloat-docs, visual-regression-checker
Description
run:blocks contain outbound HTTP request commands (curl,wget, etc.) targeting non-GitHub domains in job contexts that have access to secrets or publishing capabilities.This pattern is a strong indicator of credential exfiltration β the primary objective of most GitHub Actions supply-chain attacks. Attackers who achieve code execution in a CI runner (via expression injection, fork checkout, compromised action, etc.) need a way to exfiltrate stolen secrets to infrastructure they control.
Impact
The combination of external HTTP requests with secrets access is a high-confidence indicator of either:
Exposed secrets may include:
CODEX_API_KEY,GH_AW_GITHUB_TOKEN,OPENAI_API_KEY,GITHUB_TOKENAffected Workflows (4)
daily-model-inventorydocs-noob-testerunbloat-docsvisual-regression-checkerRemediation
api.openai.com,api.anthropic.com)pull_request_targetorissue_comment, restrict them to trusted authorsDetected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25303186183